I wouldn't be too sure about that. If bored employees can find a way to bypass the terminal software and get to a web browser, bam! next thing you know your expensive and insecure POS system is infected.

This brings up the question of who is at fault. Is it the terminal producers fault for being breached to begin with? Is the companies fault for not having better security themselves? The banks take the losses because the fraud was perpetrated on their customers, yet was done so via means mostly out of their control.

Which brings the question of how does pressure apply to keep these things from happening? If a party not directly at fault takes much of the loss, that doesn't apply much pressure on those who are at fault to do much of anything changing the situation so it doesn't happen next time. Or maybe it is the bank's fault for using something as easily stolen as credit cards, but if so what replaces them?

Happened here in Australia for quite a few places which sell fast food and other stores which use the same model all.

1. Crook (that's aussie lingo) goes and pinches an EFTPOS unit of a known type from a KFC (example only) in the one suburb.2. Crook's IT guru mate uploads custom firmware which logs the card ID's and the keypress (account type and PIN) 3. Crook then swaps the now infected device in a different location of the same chain store with the unit in place which is the same model, (usually when min wage staff aren't paying attention)4. A month later they go back and steal the comprimized unit full of skimmed data and sell the details.

Most large food chains here now have the units cabled and secured (kensingtons or like) so they cant be pinched from the stores specifically to prevent this. They also got new units which looks radically different so any missing ones in circulation can't be merged back into use. They were proactive about it, happened ~2 years ago and made the news here for a couple of days.

So someone did learn something about security and acted upon it. Colour me impressed.

This brings up the question of who is at fault. Is it the terminal producers fault for being breached to begin with? Is the companies fault for not having better security themselves? The banks take the losses because the fraud was perpetrated on their customers, yet was done so via means mostly out of their control.

Which brings the question of how does pressure apply to keep these things from happening? If a party not directly at fault takes much of the loss, that doesn't apply much pressure on those who are at fault to do much of anything changing the situation so it doesn't happen next time. Or maybe it is the bank's fault for using something as easily stolen as credit cards, but if so what replaces them?

The companies purchase the terminals with an assumption that their software wouldn't result in the loss of their customer data. What more can a terminal owner? They are not technical experts in most cases.

The comment about these terminals not being connected to the internet isn't entirely correct the terminals are connected to the internet otherwise they wouldn't be able to verify the payments or update their base operating system.

I see no evidence these Point of Sale terminals were even running Windows to be honest [ at least from the source article ]

Just a correction to the article. The guy from techcentral was not quite correct. The spokesperson from the Payments Association South Africa which governs all payments systems in South Africa corrected some of the information. The POS devices were not compromised. The problem was the server/gateway running behind it. It is also likely that these machines were not patched and therefore more vulnerable.

Also it only affected people using old cards i.e. ones without the chip. Since very few people use the old mag strip cards very little (relatively) was stolen.

Also one security consultant was saying the problem is the servers are not often updated with the latest Microsoft Security Patches i.e. retailers are negligent. So they were probably infected because of that.

Seems that the problem must have been mishandled somehow. Collecting so much money must take substantial time, and on that scale people are bound to notice false charges on their cards. Then how can the operation continue and spread for months? Especially when it involves chain restaurants, you'd think that it can't be that hard to take quick coordinated action.

Also one security consultant was saying the problem is the servers are not often updated with the latest Microsoft Security Patches i.e. retailers are negligent. So they were probably infected because of that.

These POS terminals are not maintained by the retailers. They're maintained by the banks that the retailers obtain the terminals from.

This brings up the question of who is at fault. Is it the terminal producers fault for being breached to begin with? Is the companies fault for not having better security themselves? The banks take the losses because the fraud was perpetrated on their customers, yet was done so via means mostly out of their control.

Which brings the question of how does pressure apply to keep these things from happening? If a party not directly at fault takes much of the loss, that doesn't apply much pressure on those who are at fault to do much of anything changing the situation so it doesn't happen next time. Or maybe it is the bank's fault for using something as easily stolen as credit cards, but if so what replaces them?

Ofc the banks are responsible. They are the ones insisting on insecure systems for paying. All of Europe changed paying terminals to the new super secure solution. Only that gaping holes in it were found even before the implementation in shops started but banks gave no fucks. They claimed that it's 100% safe and there is no fraud. Ofc that went away in court (UK IIRC) once the security researchers presented their findings (after banks threatened the university).

If the banks actually worked with visa and mastercard to implement a real secure system they would have a lot less issues but for some reason they seem to enjoy having insecure systems in use.

Finally few million dollars is nothing considering how much money they make so who gives a slightest fuck. Those that stole the money are probably more useful to the society than the parasitic banks.

THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .

The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.

THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .

The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.

Interesting idea--but what type of latency would this create when waiting in line at the checkout, or at the gas station?

Just a correction to the article. The guy from techcentral was not quite correct. The spokesperson from the Payments Association South Africa which governs all payments systems in South Africa corrected some of the information. The POS devices were not compromised. The problem was the server/gateway running behind it. It is also likely that these machines were not patched and therefore more vulnerable.

Also it only affected people using old cards i.e. ones without the chip. Since very few people use the old mag strip cards very little (relatively) was stolen.

Running Windows dramatically lowers the barrier to entry for malicious purposes. Heck, I'm developing software and testing on a live POS machine during store hours. Nothing stops me from logging keystrokes and stealing the magnetic strip data from the cards being swiped. (The card reader is really an HID device to the computer.)

THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .

The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.

Interesting idea--but what type of latency would this create when waiting in line at the checkout, or at the gas station?

Effectively none. Transactions already have to phone home for approval and that's the slow link in the chain.

I wouldn't be too sure about that. If bored employees can find a way to bypass the terminal software and get to a web browser, bam! next thing you know your expensive and insecure POS system is infected.

Sheesh, why all the down votes on Spazmodica's comment? That was my first thought, too. I do a lot of field support on business equipment including POS systems and I can tell you that employees DO surf the web. Until I lock down the machines, that is. And disable CD-ROM and USB ports. And any other soft spot I can determine.

I wouldn't be too sure about that. If bored employees can find a way to bypass the terminal software and get to a web browser, bam! next thing you know your expensive and insecure POS system is infected.

Sheesh, why all the down votes on Spazmodica's comment? That was my first thought, too. I do a lot of field support on business equipment including POS systems and I can tell you that employees DO surf the web. Until I lock down the machines, that is. And disable CD-ROM and USB ports. And any other soft spot I can determine.

Back when my company used to lock down our terminals to prevent browsing, you can bet most of us were prying and prodding the settings to find the flaws that would allow us to get around the shoddy setup. Once someone found a trick, the entire floor would know about it in an afternoon.

Or you could just use an external terminal, and not pass any card information to the POS at all. That's how my employer's terminals work. All the card data is handled by the terminal, and the terminal tells the POS system Approved or Declined.

Or you could just use an external terminal, and not pass any card information to the POS at all. That's how my employer's terminals work. All the card data is handled by the terminal, and the terminal tells the POS system Approved or Declined.

I don't think that's whats happened. In this case, the infection was entirely localized to the terminal bypassing the integrated system (if any) it was attached to anyway.

Personally, those integrated systems are relatively easy to get into. I know of a case where credit card data was stored whole and unencrypted on local machines. Any cashier would be able to copy thousands of credit card numbers. The software and company that had this flaw will remain nameless. Suffice it to say however, that if you've got a POS system in Aus, there's a good chance your business was using it (it apparently got patched). As to whether this patch has resolved the issue...let's just say, if I had access to a server cluster, i'd probably be able to make some serious money. So yeah, patch not very effective.

Or you could just use an external terminal, and not pass any card information to the POS at all. That's how my employer's terminals work. All the card data is handled by the terminal, and the terminal tells the POS system Approved or Declined.

I don't think that's whats happened. In this case, the infection was entirely localized to the terminal bypassing the integrated system (if any) it was attached to anyway.

Personally, those integrated systems are relatively easy to get into. I know of a case where credit card data was stored whole and unencrypted on local machines. Any cashier would be able to copy thousands of credit card numbers. The software and company that had this flaw will remain nameless. Suffice it to say however, that if you've got a POS system in Aus, there's a good chance your business was using it (it apparently got patched). As to whether this patch has resolved the issue...let's just say, if I had access to a server cluster, i'd probably be able to make some serious money. So yeah, patch not very effective.

That's a PCI compliance issue. You "can't" get into our terminals to pull the card data off. (Plus it's all encrypted). Storing anything on the local POS PC is dangerous and obviously foolish.

More likely vectors are the administration tools used to remotely update the point-of-sale computers.

I know it would be more expensive to update them on site, but perhaps remote administration is not the best choice here.

Agreed, sort of. The race to the bottom in IT support has to end. Sure, it's a cost which can be controlled. It also needs to be done by folks who are properly trained and who possess the correct skills to begin with. Remote desktop software can be set up securely. Most often, it simply isn't because the IT guys are the equivalent of trained monkeys. This has ramifications later in lost productivity, security issues and losses for third parties, even, as we see here. Somehow we have to get a handle on this.

Now, as an independent on-site IT guy, I have to say that remote support is all too often ineffective at getting to the root of the problem. Heck, even when it's a qualified person doing it, it takes longer to accomplish than it would on-site and usually ties up someone else as well to handle reboots, etc. Remote stuff can be great for things like installing updates or checking that they've been done. For actual problems, though, there should be an actual IT guy in the chair.

*shrugs* The lack of this actually makes me more money, though, when folks want me to be there to deal with the remote support guy. Florists are one of the worst, oddly. The FTD software is abysmal and the support for it even worse, IME. My bottom line appreciates that. This doesn't mean that societally we wouldn't benefit from a change, though.

Just a correction to the article. The guy from techcentral was not quite correct. The spokesperson from the Payments Association South Africa which governs all payments systems in South Africa corrected some of the information. The POS devices were not compromised. The problem was the server/gateway running behind it. It is also likely that these machines were not patched and therefore more vulnerable.

Also it only affected people using old cards i.e. ones without the chip. Since very few people use the old mag strip cards very little (relatively) was stolen.

It quotes same guy I hear on radio. He says back end systems infected. No CVC or pin data comprimised. He says they noticed an increase in fraudulent activity and realised it was not seasonal which triggered a forensic investigation.